SecDir: A secure directory to defeat directory side-channel attacks

Mengjia Yan, Jen Yang Wen, Christopher Wardlaw Fletcher, Josep Torrellas

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Directories for cache coherence have been recently shown to be vulnerable to conflict-based side-channel attacks. By forcing directory conflicts, an attacker can evict victim directory entries, which in turn trigger the eviction of victim cache lines from private caches. This evidence strongly suggests that directories need to be redesigned for security. The key to a secure directory is to block interference between processes. Sadly, in an environment with many cores, this is hard or expensive to do. This paper presents the first design of a scalable secure directory. We call it SecDir. SecDir takes part of the storage used by a conventional directory and re-assigns it to per-core private directory areas used in a victim-cache manner called Victim Directories (VDs). The partitioned nature of VDs prevents directory interference across cores, defeating directory side-channel attacks. The VD of a core is distributed, and holds as many entries as lines in the private L2 cache of the core. To minimize victim self-conflicts in a VD during an attack, a VD is organized as a cuckoo directory. Such a design also obscures the victim's conflict patterns from the attacker. For our evaluation, we model with simulations the directory of an Intel Skylake-X server with and without SecDir. Our results show that SecDir has a negligible performance overhead. Furthermore, SecDir is area-efficient.

Original languageEnglish (US)
Title of host publicationISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages332-345
Number of pages14
ISBN (Electronic)9781450366694
DOIs
StatePublished - Jun 22 2019
Event46th International Symposium on Computer Architecture, ISCA 2019 - Phoenix, United States
Duration: Jun 22 2019Jun 26 2019

Publication series

NameProceedings - International Symposium on Computer Architecture
ISSN (Print)1063-6897

Conference

Conference46th International Symposium on Computer Architecture, ISCA 2019
CountryUnited States
CityPhoenix
Period6/22/196/26/19

Fingerprint

Servers
Side channel attack

Keywords

  • Cache-coherence directories
  • Cuckoo hashing
  • Side-channel attacks

ASJC Scopus subject areas

  • Hardware and Architecture

Cite this

Yan, M., Wen, J. Y., Fletcher, C. W., & Torrellas, J. (2019). SecDir: A secure directory to defeat directory side-channel attacks. In ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture (pp. 332-345). (Proceedings - International Symposium on Computer Architecture). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1145/3307650.3326635

SecDir : A secure directory to defeat directory side-channel attacks. / Yan, Mengjia; Wen, Jen Yang; Fletcher, Christopher Wardlaw; Torrellas, Josep.

ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture. Institute of Electrical and Electronics Engineers Inc., 2019. p. 332-345 (Proceedings - International Symposium on Computer Architecture).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yan, M, Wen, JY, Fletcher, CW & Torrellas, J 2019, SecDir: A secure directory to defeat directory side-channel attacks. in ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture. Proceedings - International Symposium on Computer Architecture, Institute of Electrical and Electronics Engineers Inc., pp. 332-345, 46th International Symposium on Computer Architecture, ISCA 2019, Phoenix, United States, 6/22/19. https://doi.org/10.1145/3307650.3326635
Yan M, Wen JY, Fletcher CW, Torrellas J. SecDir: A secure directory to defeat directory side-channel attacks. In ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture. Institute of Electrical and Electronics Engineers Inc. 2019. p. 332-345. (Proceedings - International Symposium on Computer Architecture). https://doi.org/10.1145/3307650.3326635
Yan, Mengjia ; Wen, Jen Yang ; Fletcher, Christopher Wardlaw ; Torrellas, Josep. / SecDir : A secure directory to defeat directory side-channel attacks. ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 332-345 (Proceedings - International Symposium on Computer Architecture).
@inproceedings{113ddf649bd24a3ea9b46607ca3346ac,
title = "SecDir: A secure directory to defeat directory side-channel attacks",
abstract = "Directories for cache coherence have been recently shown to be vulnerable to conflict-based side-channel attacks. By forcing directory conflicts, an attacker can evict victim directory entries, which in turn trigger the eviction of victim cache lines from private caches. This evidence strongly suggests that directories need to be redesigned for security. The key to a secure directory is to block interference between processes. Sadly, in an environment with many cores, this is hard or expensive to do. This paper presents the first design of a scalable secure directory. We call it SecDir. SecDir takes part of the storage used by a conventional directory and re-assigns it to per-core private directory areas used in a victim-cache manner called Victim Directories (VDs). The partitioned nature of VDs prevents directory interference across cores, defeating directory side-channel attacks. The VD of a core is distributed, and holds as many entries as lines in the private L2 cache of the core. To minimize victim self-conflicts in a VD during an attack, a VD is organized as a cuckoo directory. Such a design also obscures the victim's conflict patterns from the attacker. For our evaluation, we model with simulations the directory of an Intel Skylake-X server with and without SecDir. Our results show that SecDir has a negligible performance overhead. Furthermore, SecDir is area-efficient.",
keywords = "Cache-coherence directories, Cuckoo hashing, Side-channel attacks",
author = "Mengjia Yan and Wen, {Jen Yang} and Fletcher, {Christopher Wardlaw} and Josep Torrellas",
year = "2019",
month = "6",
day = "22",
doi = "10.1145/3307650.3326635",
language = "English (US)",
series = "Proceedings - International Symposium on Computer Architecture",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "332--345",
booktitle = "ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture",
address = "United States",

}

TY - GEN

T1 - SecDir

T2 - A secure directory to defeat directory side-channel attacks

AU - Yan, Mengjia

AU - Wen, Jen Yang

AU - Fletcher, Christopher Wardlaw

AU - Torrellas, Josep

PY - 2019/6/22

Y1 - 2019/6/22

N2 - Directories for cache coherence have been recently shown to be vulnerable to conflict-based side-channel attacks. By forcing directory conflicts, an attacker can evict victim directory entries, which in turn trigger the eviction of victim cache lines from private caches. This evidence strongly suggests that directories need to be redesigned for security. The key to a secure directory is to block interference between processes. Sadly, in an environment with many cores, this is hard or expensive to do. This paper presents the first design of a scalable secure directory. We call it SecDir. SecDir takes part of the storage used by a conventional directory and re-assigns it to per-core private directory areas used in a victim-cache manner called Victim Directories (VDs). The partitioned nature of VDs prevents directory interference across cores, defeating directory side-channel attacks. The VD of a core is distributed, and holds as many entries as lines in the private L2 cache of the core. To minimize victim self-conflicts in a VD during an attack, a VD is organized as a cuckoo directory. Such a design also obscures the victim's conflict patterns from the attacker. For our evaluation, we model with simulations the directory of an Intel Skylake-X server with and without SecDir. Our results show that SecDir has a negligible performance overhead. Furthermore, SecDir is area-efficient.

AB - Directories for cache coherence have been recently shown to be vulnerable to conflict-based side-channel attacks. By forcing directory conflicts, an attacker can evict victim directory entries, which in turn trigger the eviction of victim cache lines from private caches. This evidence strongly suggests that directories need to be redesigned for security. The key to a secure directory is to block interference between processes. Sadly, in an environment with many cores, this is hard or expensive to do. This paper presents the first design of a scalable secure directory. We call it SecDir. SecDir takes part of the storage used by a conventional directory and re-assigns it to per-core private directory areas used in a victim-cache manner called Victim Directories (VDs). The partitioned nature of VDs prevents directory interference across cores, defeating directory side-channel attacks. The VD of a core is distributed, and holds as many entries as lines in the private L2 cache of the core. To minimize victim self-conflicts in a VD during an attack, a VD is organized as a cuckoo directory. Such a design also obscures the victim's conflict patterns from the attacker. For our evaluation, we model with simulations the directory of an Intel Skylake-X server with and without SecDir. Our results show that SecDir has a negligible performance overhead. Furthermore, SecDir is area-efficient.

KW - Cache-coherence directories

KW - Cuckoo hashing

KW - Side-channel attacks

UR - http://www.scopus.com/inward/record.url?scp=85069499600&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069499600&partnerID=8YFLogxK

U2 - 10.1145/3307650.3326635

DO - 10.1145/3307650.3326635

M3 - Conference contribution

AN - SCOPUS:85069499600

T3 - Proceedings - International Symposium on Computer Architecture

SP - 332

EP - 345

BT - ISCA 2019 - Proceedings of the 2019 46th International Symposium on Computer Architecture

PB - Institute of Electrical and Electronics Engineers Inc.

ER -